tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: JAAS Realms, cookies and authentication
Date Thu, 11 Oct 2007 17:24:33 GMT
Hash: SHA1


Emsley, I (Iain) wrote:
> What I'm trying to achieve is when the user logs in on main site and
> clicks the link to the Java calendar, the link will read the cookie
> (extracting the user name/password and converting into hex to send back
> to the main config files to check if its valid whilst also checking that
> they are a member of our service) and then grant access to the
> application on success.

Shouldn't this happen automatically? When the browser makes an HTTP
connection to your server, as long as the hostname and path match, the
cookie will be sent automatically. Am I misunderstanding your thought?

Are you trying to implement "remember me" functionality?

> I was looking at the JAAS realm since the user information is kept in
> what is essentially a flat file db and trying to write a LoginModule
> which replicates the existing Perl scripts actions for checking
> username/password and membership.

I have no experience with JAASRealm. Would it be easier to write a
simple Realm instead of dealing with JAAS?

> AFAIUI, I'd need to write a servlet to
> process the cookie before hitting the JAAS realm though.

That's not going to happen: if you're using Tomcat's built-in
authentication and authorization mechanism, then basically none of your
code gets to run before the authentication is performed (unless you
write your own Realm, or JAAS LoginModule).

> Have I
> understood this correctly or can I get the LoginModule to do the
> processing (which appears to be implied in the Tomcat manual on Realms)?

Hopefully, the request object is available to your LoginModule or Realm
in order to do the authentication. That would allow you to substitute
the authentication information from the cookie instead of attempting to
get it from the request (parameters).

> Ultimately I will need to be able to log users in via http, https and
> the Shibboleth Single Sign On (for which I know there is a JAAS realm).

Aah, a better reason to use JAAS ;)

> As I understand it, as long as I have a config which lists all the
> various login methods, I should be able to stack these onto one Tomcat,
> or have I also misunderstood this? 

Sorry, I can't answer this, but I think that's what JAAS was made for:
multiple authentication methods glued together, and a simpler, more
stable interface (LoginModule) for implementation.

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message